Apps that appear legitimate but are actually scams set up to steal customers’ money are proliferating across Apple’s App Store, and the company is moving quickly to remove them before it turns into a PR disaster.
Apple is infamous for its iron-fisted control over which apps are made available for purchase on its App Store. In the last week, however, more than 10 apps that appear to be legitimate bitcoin wallets—where users of the cryptocurrency store their coins—but are engineered to siphon away those coins when they input their information, have made it through Apple’s vetting process.
The apps, first identified in several posts on Reddit, appear to use portions of the source code for legitimate bitcoin wallets like Breadwallet in order to appear aesthetically identical to unsuspecting customers. One Reddit post by “breadwallet_dan” noted that “a few users who inadvertently downloaded the fake app have reported having funds stolen from it,” although the exact number of people affected isn’t clear. Scam wallets that are designed to look like those offered by companies such as BitGo and Coinbase have also been reported.
“We talked with one customer who claims to have lost about $10,000, and if we go an look at the coin address where those coins were deposited, last I checked there was $20,000 listed at that address,” said Breadwallet co-founder Aaron Voisine in an interview. “So, that’s our current estimate for how much customers have lost.”
According to an Apple spokesperson who spoke on background, the scammy apps have been removed from the App Store, and the company reviews and vets all of the apps that end up on the store.
The scam appears to be an updated version of a classic internet hustle that involves “spoofing” a legitimate website—creating an identical copy—that unwitting users can be fooled into trusting with their personal information or credit card number. Apps that publish their source code so that the tech community can vet their software—like Breadwallet does—are especially vulnerable to this sort of attack, since anyone can copy the code to create their own version.
“I think it would be good for Apple to go through some extra process to make sure they have the identity of the person posting any app in the finance section,” Voisine said.
Even though it’s impossible to say right now how much money was lost, it seems like Apple is taking the issue seriously by removing the apps quickly. One big question that Apple isn’t answering right now, however, is how these dangerous scams made it on to the App Store in the first place.
UPDATE: An earlier version of this article had the headline “Money-Stealing Apps are Popping Up on the App Store.” This has been changed to reflect new information about how much bitcoin was stolen from customers. This article has also been updated to include comment from Breadwallet co-founder Aaron Voisine.